Passkeys replacing the need for 2FA

I don’t understand passkeys, but I have obtained and used a few of them. I obtained a passkey from hyatt.com, but I’m unable to use it, and I wonder if Hyatt is blowing smoke. When I reported that there is no option to login using a passkey rather than a username and password, I received this response from Hyatt.

On our website it will not provide a sign -on option to sign in with passkey. When using passkey, the option is presented by the device/browser itself on the sign- in screen.

Does this make sense? At other sites, I’m asked if I want to use a password or a passkey. It’s only at hyatt.com that there is no option to use a passkey offered.

Sounds like the Hyatt website doesn’t treat you very well! Do you think its iOS or iPad app would work better for you?

That’s how Fastmail’s login page works for me. As soon as the page loads, the 1Password extension shows me a list of passkeys I’ve set up for Fastmail. Once I choose one, I’m logged in. There’s no need to click a button to choose logging in with a passkey. I figure the site sets a cookie that says I used a passkey before, so it just asks for one immediately.

When I open a new private window, it doesn’t know I have passkeys, and I have to enter a user name. It then gives me the option to log in with a password or a passkey.

I’m not an app person, so I don’t know. It might be that I do not function the way the web site’s designers expect a customer to function, and using an app could have the same situation. (See below.)

Hmm. You spurred me to poke around more, and I did find how to use a passkey at hyatt.com, but I do need to click a button (at this and every site for which I have a passkey, as far as I can recall). On the other hand, I do not use 1Password, and that might be the difference.

For anyone who cares, the Hyatt web site offers the ability to login using an email address or a member number, with email address being the default offering. I had always clicked Sign In With Password and had never seen the passkey option. This most recent time, I clicked in the email field. Before I entered a single character, I was given the option to use a passkey. My opinion is that the option to use a passkey should have been offered when I clicked in the Member Number field. As I said, it might be that I do not function the way the web site’s designers expect a customer to function.

If that’s the case, I’d say a big factor is that online experiences are now almost always designed with phones and tablets in mind first with desktops/laptops as an afterthought. This is because desktop OS use has been in decline for years.

Regardless, I’ve always agreed with an old saying from the Wall Street Journal’s former lead tech columnist, Walt Mossberg: “Just remember: you’re not a ‘dummy,’ no matter what those computer books claim. The real dummies are the people who-though technically expert-couldn’t design hardware and software that’s usable by normal consumers if their lives depended upon it.”

I’d like to comment on a few points about the technology underlying passkeys.

You mentioned “secure public key infrastructure,” but as I understand it, WebAuthn (the standard behind passkeys) doesn’t use a PKI in the traditional sense, with Certificate Authorities and so on. It instead uses public-key cryptography, where the security relies entirely on your private key being held securely.

The original design, and the one used by hardware keys like YubiKeys, uses a hardware security module (TPM, such as Secure Enclave) to generate a private key that physically cannot leave the chip. When logging in, the website sends a random challenge and one’s browser passes this to the chip, which is then approved by a touch, password or biometrics. The chip then signs the challenge with the private key. A crucial aspect is that the private key is never exposed, making it immune to phishing because the key is bound to the specific domain (e.g. google.com vs go0gle.com) and unstealable by malware.

This brings me to the “dilution” of the standard by the major platform providers. To solve the “lost phone” problem, they’ve created syncable passkeys. This is where the trust model changes. Contrary to a common misconception (stated for example in a footnote to the Six Colors article you cite), the private keys are still generated and protected inside the Secure Enclave. However, a copy of the key material is then synced via (for example) iCloud or Google’s Password Manager.

This has two major consequences:

1. The security of your passkey is now tied to the security of your Apple/Google account and the integrity of their cloud encryption. The “unexportable” promise has been compromised for convenience.
2. It creates ecosystem lock-in. There is no standard way to sync passkeys from iCloud to a Windows/Android environment. How do you migrate ecosystems if your digital identity is tied to proprietary sync mechanisms?

So, if a black hat gets a copy of your software-vaulted passkeys (e.g., by compromising a password manager’s vault file, NOT by extracting from a Secure Enclave), can they buy 10 motorcycles on your Amazon account? They would still need to “unseal” the vault, which might require your master password or biometric. But the risk of the key material itself being copied now exists, where it didn’t with a hardware-only key.

I agree with the goals of getting rid of passwords, but I’m concerned that the original, open, interoperable vision based on hardware security has been co-opted into a less secure, vendor-locked system. In my view, a standard for secure, cross-platform key migration should have been a prerequisite.

Excellent post.

Just a comment, though - this is coming, soon. FIDO and its partners are developing a standard for export/import, and Apple’s 26 OSes releasing this month will soon/eventually support it. I assume that Google and Microsoft will be doing so as well in Android and Windows, as well as Linux and other Unix-based OSes.

That sounds interesting. I couldn’t find this on the WebAuthn github – I’d be grateful for any pointers you might have.

From quick searching, this is a pretty good overview of CXP and CXF. : WebAuthn Credential Exchange Protocol (CXP) & Format (CXF)

Plus Apple’s 26 versions support: Coming to Apple OSes: A seamless, secure way to import and export passkeys - Ars Technica

Thanks very much for those links; the CXF draft looks interesting.

I guess the use of a password manager is the compromise many who wish to use passkeys cross-platform are or will be making, despite their being vulnerable to malware. Passkeys still offer important protection against bad passwords and phishing attacks though, so that’s good – a bit like password-protected ssh keys for everyone, but for web services.

Still, I imagine other forms of auth may continue to be used in addition to passkeys due to the fact that many passkeys won’t be kept on the secure TPM devices first envisaged by the WebAuthn standard. It’ll be interesting to see how this plays out.

I decided to run a test on that today. Using the demo app on https://www.passkeys.io/, I created a passkey using Firefox on my Mac.

Firefox stored the passkey in my iCloud keychain. It was usable in Safari and on my iPhone immediately afterward.

Firefox did not, however, sync it via the Firefox password sync feature. It doesn’t appear that Firefox stored the passkey anywhere at all, but handed off all management to macOS. So when I went to an instance of Firefox on a Windows PC, I needed to use the QR code and my phone to authenticate. Ditto for my Linux PC.

This is better than I expected (cross-browser, if not cross-platform). The big problem remaining is that cross-platform sync. If I am working on Windows (where the Microsoft account is managed by my employer) or Linux (where I have no cloud synchronization other than Firefox Sync) and create a passkey there, it is not going to make its way into my other devices, including my phone. Making them useless on-the-go.

Maybe I could solve the Windows situation using Apple’s iCloud utility there, but it’s my employer’s computer and I don’t really want to install such a tool there.

So, I’m going to keep waiting before using them on anything important, but I may start using them for less-important sites, as long as I create the passkey on my Mac, where they can be sync’ed to my phone and my other Apple devices.

Alas, Apple Passwords iCloud Keychain sync does not sync passkeys to Windows.

I think the closest is using 1Password or Bitwarden, which will sync passkeys between devices and generally have extensions for most browsers. I just checked - my passkeys in BitWarden worked in Firefox on Windows.

Am I missing something? Both 1PW and Bitwarden have extensions for all common browsers that will allow the same passkey to be used in any of them.